Over half of UK businesses aren’t compliant with the GDPR more than 15 months after its introduction, despite many reporting data security incidents to the ICO, according to new research from Egress.
The security vendor polled 250 “GDPR decision-makers” from companies of all sizes and sectors to compile its new report, GDPR compliance: where are we now?
Some 52% said they were not fully compliant with the EU-wide data protection regulation, with over a third (35%) claiming compliance had dropped down the priority list over the past year. That’s concerning given that GDPR compliance cannot be achieved via a one-off tick box exercise but requires continual attention.
Just 6% said the recent ICO fines issued to BA and Marriott raised the profile of GDPR again within the business.
Although 42% of respondents rated their firm as “mostly compliant,” it’s unclear which elements were still lacking. Data breach threats can come from anywhere and it only takes a small oversight for a potentially serious incident to occur.
Bearing this out, over a third of respondents (37%) reported at least one incident to the ICO in the past 12 months. According to Egress-obtained FOI information, 60% of security-related personal data breach incidents reported to the watchdog in the first six months of 2019 were caused by human error.
Mid-sized companies are either most exposed to data security incidents or most alert to respond, the findings seem to indicate.
Over half (53%) of mid-size companies (250-999 employees) reported data breaches to the ICO in the past 12 months, compared with 36% of small companies (1-249 staff) and only 23% of enterprises (1000+ employees), according to the report.
“Since the rush to meet last May’s deadline, we now appear to be seeing an ‘almost compliant is close enough’ attitude towards GDPR. The wait of more than a year between implementation and the first action taken by the ICO under GDPR seemed to lead to a perception outside the security industry that the regulation was ‘all bark and no bite’,” argued Egress CEO, Tony Pepper.
“Although the authority’s announcement that it intends to fine British Airways and Marriott such staggering sums sent shockwaves through the security community, it is concerning only 6% of organizations have taken action to avoid the full potential of the legislation. These announcements should definitely have acted as a clearer warning that organizations cannot risk compliance complacency.”
He added that any technology solutions brought in need to tackle the underlying problem of human error, by mapping employee behavior to block phishing attacks, and prevent misdirected emails and attaching the wrong documents.
“Reliance on people to follow processes and protect data is only going to get organizations so far: people are always going to make mistakes or behave unexpectedly, and more must be done to provide a safety net that protects sensitive information,” Pepper said.